EU-US Umbrella Agreement

Summary

The EU-US agreement, the so-called "Umbrella Agreement," is a framework for transatlantic data transfer between the US and the EU. The proposed goal of the Agreement is to provide data protection safeguards for personal information transferred between the EU and the US.

Top News

Court Dismisses Suits Against OPM Over Data Breach that Affected 22 Million: A federal court in Washington, DC has dismissed two lawsuits against the Office of Personnel Management over the data breaches that compromised the records of 22 million federal employees and family members. The court acknowledged the "troubling allegations" raised by OPM's victims but ruled that "the fact that a person's data was taken" is not "enough by itself to create standing to sue." EPIC haslongargued that data breach victims should not wait until they suffer identity theft to sue the parties that failed to protect their data. EPIC also filed comments last year with OPM recommending limits on data collection, has recommended updates to the federal Privacy Act, and has urged the Supreme Court to recognize a right to "informational privacy" and to ensure Privacy Act damages for non-economic harm. (Sep. 20, 2017)

EPIC Tells Congress US-UK Surveillance Agreement Should be Made Public: EPIC has sent a statement to the House Judiciary Committee for a hearing on "Data Stored Abroad." According to news reports, the United States and the United Kingdom are drafting a secret agreement for transnational access to personal data that would bypass legal and judicial safeguards. In November 2016, EPIC filed a FOIA Request for the draft US-UK agreement. The Justice Department recently informed EPIC that responsive documents had been located and would be referred to the State Department for additional processing. EPIC has long pursued public release of international agreements. In 2016, EPIC obtained the "Umbrella Agreement," concerning the transfer of personal data from the EU to the US, after a successful Freedom of Information Act lawsuit. (Jun. 14, 2017)

During the final week in office, the Obama Department of Justice released the list of European countries covered under the Judicial Redress Act. The Act gives citizens of these countries limited rights under the US Privacy Act. The Act implements the US-EU "Umbrella Agreement," which is a framework for transferring law enforcement data across the Atlantic. The Act came about in response to the Schrems decision, which held that the United States lacks adequate data protection. EPIC had recommended substantial changes to the Judicial Redress Act, explaining in a letter to Congress that the bill still did not provide adequate protection to permit transborder data flows and fails to provide necessary updates for U.S. citizens. EPIC successfully sued the Justice Department to obtain the full text of the Umbrella Agreement.

EPIC has submitted comments on Circular A-108, guidelines proposed by the Office of Management and Budget for federal agency compliance with the Privacy Act. EPIC warned that agencies frequentlymisuseexceptions to the Privacy Act to circumvent important safeguards required by law. EPIC urged the OMB to "strengthen its guidance on federal agency implementation of the Privacy Act" and to limit the 'routine use' exemption. EPIC regularly comments on privacy safeguards for federal databases and has urged Congress to modernize the Privacy Act.

After months of delay, the Department of Justice has finally released to EPIC the full text of the EU-US Umbrella Agreement. EPIC sued the DOJ last year after the agency failed to act on EPIC's FOIA request for the secret agreement. Today's release comes on the heels of EPIC's opposition to the agency's attempt to further delay the Agreement's release. The Umbrella Agreement outlines data transfers between EU and US law enforcement agencies, and is the basis for the Judicial Redress Act currently before Congress. EPIC has criticized the legislation, and recently urged the Senate to delay action on the bill until the DOJ releases the Umbrella Agreement and the Judiciary Committee holds a hearing on the legislation.

Today EPIC urged the Senate Judiciary Committee to postpone action on the Judicial Redress Act until the Department of Justice releases a secret data transfer agreement on which the bill is based. The so-called Umbrella Agreement outlines data transfers between law enforcement agencies in Europe and the United States. EPIC has sued the DOJ for release of the document. EPIC also urged the Senate Committee to conduct a public hearing on Privacy Act modernization following the massive data breach at the office of Personnel and Management.EPIC previously wrote to the House Judiciary Committee to recommend updates to the Privacy Act.

In its fight to obtain a copy of the EU-US Umbrella Agreement, EPIC asked a federal court in Washington, D.C. today to grant default judgment against the Department of Justice. EPIC sued the agency to obtain the secret agreement, which concerns the transfer of personal information between the EU and US. After the DOJ failed to answer EPIC's complaint, the court entered default against the agency. The Agreement is central to pending legislation, which the Senate Judiciary Committee is set to debate this month yet the DOJ has not made the document available to the public or to Members of Congress.

In a statement issued today, EPIC supported a recent opinion of the Advocate General of the Court of Justice of the European Union which found that the Safe Harbor Arrangement was invalid. Safe Harbor has operated for several years as a substitute for the legal protections that would otherwise be required for the transfer of personal data across national borders. EPIC said that Safe Harbor has "given rise to significant concerns on both sides of the Atlantic about the adequacy of the privacy and security afforded personal information." Earlier today the US Mission issued a statement calling into question the opinion of the Advocate General. The Mission stated that the PRISM program, operating in conjunction with Safe Harbor and involving the mass surveillance of EU citizens, is "duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations."

Background

On September 8, 2015 European and US officials announced that they have concluded an agreement on data protection for transatlantic criminal investigations. The EU Justice Commissioner stated, "Once in force, this agreement will guarantee a high level of protection of all personal data when transferred between law enforcement authorities across the Atlantic." Despite the announcements, neither US officials nor their European counterparts made the text of the Agreement public.

EPIC's Interest

EPIC supports the establishment of a comprehensive legal framework to enable transborder data flows. EPIC previously urged that the United States begin the process of ratification of Council of Europe Convention 108.

The federal Privacy Act of 1974 places a duty upon federal agencies that maintain personal information to protect that data. This duty and concomitant responsibilities arise from the collection of personal data. Therefore, it does not matter what the data owner's citizenship or origin is. EPIC has previously made recommendations regarding Privacy Act modernization.EPIC routinely provides comments to federal agencies regarding Privacy Act compliance, and we have provided amicus briefs to the U.S. Supreme Court in two Privacy Act cases, Doe v. Chao and FAA v. Cooper. EPIC has also written extensively on data protection concerns arising from the transfer of personal information between the European Union and the United States.

Judicial Redress Act of 2015

Significantly, the Umbrella Agreement requires amendment to the US Privacy Act of 1974 before it has legal effect. Congress has proposed this legislation in the Judicial Redress Act of 2015.

In a letter to the House Judiciary Committee, EPIC recommended changes to the Judicial Redress Act to provide meaningful protections for data collected on non-U.S. persons. The bill, also pending in the Senate, seeks to amend the federal Privacy Act. EPIC explained that the legislation under consideration fails to provide adequate protection to permit transborder data flows. EPIC also pointed to increasing public concern in the United States about failure to enforce the law. EPIC has previously recommended Congressional action to ensure adequate protections for all personal information collected by U.S. federal agencies. EPIC is also seeking public release of the text of the EU-US "Umbrella Agreement."